Commit 6541e1b2 authored by YJ's avatar YJ Committed by Amaury Martiny
Browse files

#516 Set CSP in Meta tag (#517)

* feat: set csp meta in index.html for prod

* fix grumbles
parent f2cb900f
Pipeline #36935 passed with stages
in 10 minutes and 41 seconds
......@@ -37,6 +37,9 @@ function setupRequestListeners (fetherApp) {
);
// Content Security Policy (CSP)
// Note: `onHeadersReceived` will not be called in prod, because we use the
// file:// protocol: https://electronjs.org/docs/tutorial/security#csp-meta-tag
// Instead, the CSP are the ones in the meta tag inside index.html
session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
pino.debug(
`Configuring Content-Security-Policy for environment ${
......
......@@ -4,8 +4,25 @@
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<!-- CSP defined in packages/fether-electron/src/main/app/methods/setupRequestListeners.js -->
<meta name="theme-color" content="#000000">
<!-- These CSP are for prod. For dev, CSP are set inside @electron-app -->
<meta http-equiv="Content-Security-Policy" content="
block-all-mixed-content;
child-src 'none';
connect-src https: ws:;
default-src 'none';
font-src 'none';
form-action 'none';
frame-src 'none';
img-src 'self' 'unsafe-inline' file: data: blob: https:;
manifest-src 'none';
media-src 'none';
object-src 'none';
prefetch-src 'none';
script-src 'self' 'unsafe-inline';
style-src 'self' 'unsafe-inline' http:;
worker-src blob:;
">
<!--
manifest.json provides metadata used when your web app is added to the
homescreen on Android. See https://developers.google.com/web/fundamentals/engage-and-retain/web-app-manifest/
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment